SlideShare una empresa de Scribd logo

COBIT and IT Policy Presentation

Descargar como PPT, PDF
Sarah Cortes
Sarah Cortes

How COBIT and Standards framewrks can assist in developing Security and other IT Standards, Policies and technical directives

TecnologíaEmpresariales
1 de 20
IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20

Recomendados

An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019
Gregor Polančič
 
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Prashanth Panduranga
 
Doing Enterprise Architecture
Doing Enterprise ArchitectureDoing Enterprise Architecture
Doing Enterprise Architecture
John Macasio
 
IT Strategy & Planning
IT Strategy & PlanningIT Strategy & Planning
IT Strategy & Planning
chakraj
 
IT4IT - The Full Story for Digital Transformation - Part 1
IT4IT - The Full Story for Digital Transformation - Part 1IT4IT - The Full Story for Digital Transformation - Part 1
IT4IT - The Full Story for Digital Transformation - Part 1
Mohamed Zakarya Abdelgawad
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
Andrew Byers
 
What is Enterprise Architecture?
What is Enterprise Architecture?What is Enterprise Architecture?
What is Enterprise Architecture?
BOC Group
 
COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 

Recomendados

An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019
Gregor Polančič
 
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...Introduction to Enterprise architecture and the steps to perform an Enterpris...
Introduction to Enterprise architecture and the steps to perform an Enterpris...
Prashanth Panduranga
 
Doing Enterprise Architecture
Doing Enterprise ArchitectureDoing Enterprise Architecture
Doing Enterprise Architecture
John Macasio
 
IT Strategy & Planning
IT Strategy & PlanningIT Strategy & Planning
IT Strategy & Planning
chakraj
 
IT4IT - The Full Story for Digital Transformation - Part 1
IT4IT - The Full Story for Digital Transformation - Part 1IT4IT - The Full Story for Digital Transformation - Part 1
IT4IT - The Full Story for Digital Transformation - Part 1
Mohamed Zakarya Abdelgawad
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
Andrew Byers
 
What is Enterprise Architecture?
What is Enterprise Architecture?What is Enterprise Architecture?
What is Enterprise Architecture?
BOC Group
 
COBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdfCOBIT 2019 Overview_v1.1.pdf
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
Cobit
CobitCobit
Cobit
ifourkhushbooshah
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
Alan McSweeney
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made Easy
Jerry Bishop
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Introduction to ITIL 4 and IT service management
Introduction to ITIL 4 and IT service managementIntroduction to ITIL 4 and IT service management
Introduction to ITIL 4 and IT service management
Christian F. Nissen
 
IT Governance
IT GovernanceIT Governance
IT Governance
Carlos Chalico
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
Real IRM
 
It governance
It governanceIt governance
It governance
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
[한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료
[한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료 [한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료
[한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료
Sejeong Kim 김세정
 
Intro to Enterprise Architecture (EA)
Intro to Enterprise Architecture (EA)Intro to Enterprise Architecture (EA)
Intro to Enterprise Architecture (EA)
Fahmi Abdul Latip
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
SriramITISConsultant
 
IT4IT real life examples & myths and rumors dispelled
IT4IT real life examples & myths and rumors dispelledIT4IT real life examples & myths and rumors dispelled
IT4IT real life examples & myths and rumors dispelled
Tony Price
 
ITIL PPT
ITIL PPTITIL PPT
ITIL PPT
Vikas Aryan
 
IT Strategy Framework
IT Strategy FrameworkIT Strategy Framework
IT Strategy Framework
Vishal Sharma
 
ICT Strategic Planning
ICT Strategic PlanningICT Strategic Planning
ICT Strategic Planning
TrainingandCoaching Trainer
 
IT Enterprise architecture ppt
IT Enterprise architecture pptIT Enterprise architecture ppt
IT Enterprise architecture ppt
Monsif sakienah
 
3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policies
mrmwood
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
marindi
 

Más contenido relacionado

La actualidad más candente

Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
Alan McSweeney
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
IT4IT real life examples & myths and rumors dispelled
IT4IT real life examples & myths and rumors dispelledIT4IT real life examples & myths and rumors dispelled
IT4IT real life examples & myths and rumors dispelled
Tony Price
 

La actualidad más candente (20)

Cobit
CobitCobit
Cobit
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
Review of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability ModelsReview of Information Technology Function Critical Capability Models
Review of Information Technology Function Critical Capability Models
 
IT Governance Made Easy
IT Governance Made EasyIT Governance Made Easy
IT Governance Made Easy
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Introduction to ITIL 4 and IT service management
Introduction to ITIL 4 and IT service managementIntroduction to ITIL 4 and IT service management
Introduction to ITIL 4 and IT service management
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
IT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of ITIT4IT™ - Managing the Business of IT
IT4IT™ - Managing the Business of IT
 
It governance
It governanceIt governance
It governance
 
[한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료
[한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료 [한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료
[한국IBM] 관리회계/경영계획 솔루션 Planning Analytics 소개자료
 
Intro to Enterprise Architecture (EA)
Intro to Enterprise Architecture (EA)Intro to Enterprise Architecture (EA)
Intro to Enterprise Architecture (EA)
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_ListISO 27001 Implementation_Documentation_Mandatory_List
ISO 27001 Implementation_Documentation_Mandatory_List
 
IT4IT real life examples & myths and rumors dispelled
IT4IT real life examples & myths and rumors dispelledIT4IT real life examples & myths and rumors dispelled
IT4IT real life examples & myths and rumors dispelled
 
ITIL PPT
ITIL PPTITIL PPT
ITIL PPT
 
IT Strategy Framework
IT Strategy FrameworkIT Strategy Framework
IT Strategy Framework
 
ICT Strategic Planning
ICT Strategic PlanningICT Strategic Planning
ICT Strategic Planning
 
IT Enterprise architecture ppt
IT Enterprise architecture pptIT Enterprise architecture ppt
IT Enterprise architecture ppt
 

Destacado

Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
marindi
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategy
mrmwood
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
Hamisi Kibonde
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 

Destacado (14)

3.5 ICT Policies
3.5 ICT Policies3.5 ICT Policies
3.5 ICT Policies
 
Information Technology policy
Information Technology policyInformation Technology policy
Information Technology policy
 
IT Policy
IT PolicyIT Policy
IT Policy
 
It Policies
It PoliciesIt Policies
It Policies
 
Sample IT Policy
Sample IT PolicySample IT Policy
Sample IT Policy
 
3.4 ict strategy
3.4 ict strategy3.4 ict strategy
3.4 ict strategy
 
Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour Information Technology Policy for Corporates - Need of the Hour
Information Technology Policy for Corporates - Need of the Hour
 
Ict policy planning and implementation issues
Ict policy planning and implementation issuesIct policy planning and implementation issues
Ict policy planning and implementation issues
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)CoBIT 5 (A brief Description)
CoBIT 5 (A brief Description)
 

Similar a COBIT and IT Policy Presentation

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
ddcomeau
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
vrickens
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management Technologies
DATAVERSITY
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811
faau09
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
Priyanka Aash
 

Similar a COBIT and IT Policy Presentation (20)

Feb 26 NETP Slide Deck
Feb 26 NETP Slide DeckFeb 26 NETP Slide Deck
Feb 26 NETP Slide Deck
 
Fisher Practice Areas 2012
Fisher Practice Areas 2012Fisher Practice Areas 2012
Fisher Practice Areas 2012
 
Sensitel infrastructure optimization services
Sensitel infrastructure optimization servicesSensitel infrastructure optimization services
Sensitel infrastructure optimization services
 
20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing20160426 AIIM16 CIP Preconference Briefing
20160426 AIIM16 CIP Preconference Briefing
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
 
IT Security Guest Lecture
IT Security Guest LectureIT Security Guest Lecture
IT Security Guest Lecture
 
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data PrivacyFalcon.io | 2021 Trends Virtual Summit - Data Privacy
Falcon.io | 2021 Trends Virtual Summit - Data Privacy
 
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docxITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx
 
AI in the Enterprise
AI in the EnterpriseAI in the Enterprise
AI in the Enterprise
 
IT Governance
IT GovernanceIT Governance
IT Governance
 
DataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management TechnologiesDataEd Slides: Leveraging Data Management Technologies
DataEd Slides: Leveraging Data Management Technologies
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811Marcos gobernabilidad-sin-mapa-v040811
Marcos gobernabilidad-sin-mapa-v040811
 
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
Rothke Computer Forensics Show 2010 Deployment Strategies For Effective E...
 
093049ov4.pptx
093049ov4.pptx093049ov4.pptx
093049ov4.pptx
 
Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"Tech Refresh - Ambient Computing and the IT "new normal"
Tech Refresh - Ambient Computing and the IT "new normal"
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offer
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
Automating Policy Compliance and IT Governance
Automating Policy Compliance and IT GovernanceAutomating Policy Compliance and IT Governance
Automating Policy Compliance and IT Governance
 

Más de Sarah Cortes

Más de Sarah Cortes (7)

State Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity DeliveryState Laws On Smart Grid And Electricity Delivery
State Laws On Smart Grid And Electricity Delivery
 
Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009Sarah Cortes MA data breach law Testimony Sept 22 2009
Sarah Cortes MA data breach law Testimony Sept 22 2009
 
Social Media
Social MediaSocial Media
Social Media
 
PMP Class And Exam Prep
PMP Class And Exam PrepPMP Class And Exam Prep
PMP Class And Exam Prep
 
Usability And Project Management
Usability And Project ManagementUsability And Project Management
Usability And Project Management
 
Privacy And Surveillance
Privacy And SurveillancePrivacy And Surveillance
Privacy And Surveillance
 
Opensource Presentation
Opensource PresentationOpensource Presentation
Opensource Presentation
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

COBIT and IT Policy Presentation

  • 1. IT Policies, Standards and Technical Directives Sarah Cortes, PMP, CISA www.inmantechnologyIT.com Sarah’s blog: SecurityWatch Sarah’s ITtechEx column twitter: SecuritySpy LinkedIn: Sarah Cortes 07/19/09 Copyright 2009 Sarah Cortes 1
  • 2. IT Policies, Standards and Technical Directives Agenda  Who are we?  Purpose?  Standards Frameworks  COBIT Framework  ISACA Framework  Case Study 07/19/09 Copyright 2009 Sarah Cortes 2
  • 3. Sarah Cortes, PMP, CISA  Clients: • Harvard University • Biogen • Fidelity  Professional Associations: • Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Massachusetts Legislature  Practice expertise • Complex Application Development/Implementation • IT Security/Privacy/Risk Management/Audit Management • Data Center Operations Management • Disaster Recovery/High Availability • Program/Project Management  Background • SVP in charge of Security, DR, IT Audit, and some Data Center Operations at Putnam Investments • As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan failed over to our facility from the World Trade Center 99th floor data center • Coordinated over 65 audits per year • Previously ran major applications development for Trading/Analytics Systems 07/19/09 Copyright 2009 Sarah Cortes 3
  • 4. IT Policies, Standards and Technical Directives Standards Overview  ISO/IEC 27000 - International Organization for Standardization/International Electrotechnical Commission  ITIL – Information Technology Infrastructure Library  NIST - National Institute of Standards and Technology  PMBOK – Project Management Body of Knowledge  TOGAF - The Open Group Architecture Framework  CMMI for Development - Capability Maturity Model Integration  SEI’s CMM (Capability Maturity Model) for SW  (US DoD) Software Engineering Institute  COBIT - Control Objectives for Information & related Technology  Information Systems Audit and Control Association 07/19/09 Copyright 2009 Sarah Cortes 4
  • 5. IT Policies, Standards and Technical Directives Is the Purpose to…?  Drive you crazy?  Waste your precious resources in a pointless task that will soon be out of date?  Serve as evidence to be used against you later? 07/19/09 Copyright 2009 Sarah Cortes 5
  • 6. IT Policies, Standards and Technical Directives Could policies help….?  Save you after you have already gotten into trouble?  Attempt, however lamely, to keep you out of trouble  Prove that, however obvious the trouble is, it is not your fault 07/19/09 Copyright 2009 Sarah Cortes 6
  • 7. IT Policies, Standards and Technical Directives Calling in the Experts 07/19/09 Copyright 2009 Sarah Cortes 7
  • 8. IT Policies, Standards and Technical Directives Did you know….?  Seven out of ten attacks are from… 07/19/09 Copyright 2009 Sarah Cortes 8
  • 9. IT Policies, Standards and Technical Directives You may be wondering…  Why develop and document IT policies, standards and technical directives?  Is it really worth it? What’s in it for me?  Who will pay for the resources thusly diverted? 07/19/09 Copyright 2009 Sarah Cortes 9
  • 10. IT Policies, Standards and Technical Directives COBIT Control Objectives - Overview • PLAN AND ORGANISE - 10 • ACQUIRE AND IMPLEMENT - 7 • DELIVER AND SUPPORT - 13 • MONITOR AND EVALUATE – 4 • Total - 34 07/19/09 Copyright 2009 Sarah Cortes 10
  • 11. IT Policies, Standards and Technical Directives COBIT Control Objectives - PLAN AND ORGANISE  PO1 Define a Strategic IT Plan  PO2 Define the Information Architecture  PO3 Determine Technological Direction  PO4 Define the IT Processes, Organization and Relationships  PO5 Manage the IT Investment  PO6 Communicate Management Aims and Direction  PO7 Manage IT Human Resources  PO8 Manage Quality  PO9 Assess and Manage IT Risks  PO10 Manage Projects 07/19/09 Copyright 2009 Sarah Cortes 11
  • 12. IT Policies, Standards and Technical Directives COBIT Control Objectives - ACQUIRE AND IMPLEMENT  AI1 Identify Automated Solutions  AI2 Acquire and Maintain Application Software  AI3 Acquire and Maintain Technology Infrastructure  AI4 Enable Operation and Use  AI5 Procure IT Resources  AI6 Manage Changes  AI7 Install and Accredit Solutions and Changes 07/19/09 Copyright 2009 Sarah Cortes 12
  • 13. IT Policies, Standards and Technical Directives COBIT Control Objectives - DELIVER AND SUPPORT  DS1 Define and Manage Service Levels  DS2 Manage Third-party Services  DS3 Manage Performance and Capacity  DS4 Ensure Continuous Service  DS5 Ensure Systems Security  DS6 Identify and Allocate Costs  DS7 Educate and Train Users  DS8 Manage Service Desk and Incidents  DS9 Manage the Configuration  DS10 Manage Problems  DS11 Manage Data  DS12 Manage the Physical Environment DS13 Manage Operations Sarah Cortes  07/19/09 Copyright 2009 13
  • 14. IT Policies, Standards and Technical Directives COBIT Control Objectives – MONITOR AND EVALUATE  ME1 Monitor and Evaluate IT Performance  ME2 Monitor and Evaluate Internal Control  ME3 Ensure Regulatory Compliance  ME4 Provide IT Governance 07/19/09 Copyright 2009 Sarah Cortes 14
  • 15. IT Policies, Standards and Technical Directives COBIT Control Objectives – DS5 Ensure Systems Security  DS5.1 Management of IT Security  DS5.2 IT Security Plan  DS5.3 Identity Management  DS5.4 User Account Management  DS5.5 Security Testing, Surveillance and Monitoring  DS5.6 Security Incident Definition  DS5.7 Protection of Security Technology  DS5.8 Cryptographic Key Management  DS5.9 Malicious SW Prevention, Detection,Correction  DS5.10 Network Security  DS5.11 Exchange of Sensitive Data 07/19/09 Copyright 2009 Sarah Cortes 15
  • 16. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G18 IT Governance  IS Guideline: G20 Reporting  IS Guideline: G21 Enterprise Resource Planning (ERP) Systems  IS Guideline: G22 Business to Consumer (B2C) E-commerce  IS Guideline: G23 System Development Life Cycle (SDLC)  IS Guideline: G24 Internet Banking  IS Guideline: G25 Review of Virtual Private Networks  IS Guideline: G26 Business Process Reengineering (BPR) Project  IS Guideline: G27 Mobile Computing  IS Guideline: G28 Computer Forensics  IS Guideline: G29 Post Implementation Review  IS Guideline: G30 Competence  IS Guideline: G31 Privacy  IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective  IS Guideline: G33 General Considerations on the Use of Internet  IS Guideline: G34 Responsibility, Authority and Accountability  IS Guideline: G35 Follow-up Activities 07/19/09 Copyright 2009 Sarah Cortes 16
  • 17. IT Policies, Standards and Technical Directives ISACA Standards, Guidelines & Procedures  IS Guideline: G36 Biometric Controls  IS Guideline: G38 Access Controls  IS Guideline: G39 IT Organization  IS Guideline: G40 Review of Security Management Practices  IS Procedure: P01 IS Risk Assessment Measurement  IS Procedure: P02 Digital Signatures  IS Procedure: P03 Intrusion Detection  IS Procedure: P04 Viruses and Other Malicious Logic  IS Procedure: P05 Control Risk Self-assessment  IS Procedure: P06 Firewalls  IS Procedure: P07 Irregularities and Illegal Acts  IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis  IS Procedure: P09 Mgt Controls Over Encryption Methodologies  IS Procedure: P10 Business Application Change Control  IS Procedure: P11 Electronic Funds Transfer (EFT) 07/19/09 Copyright 2009 Sarah Cortes 17
  • 18. IT Policies, Standards and Technical Directives Company A Process  Over 50 subsidiaries  Over 30,000 employees worldwide  Over 12,000 employees in Boston area  Over 250 IT Policy categories  Over 500 Technical directives  Periodic Advisory Board Review process 07/19/09 Copyright 2009 Sarah Cortes 18
  • 19. IT Policies, Standards and Technical Directives Company A Issues  Who, specifically by name, is responsible for ensuring policies & standards are applied? (designated scapegoat)  Need to break down policy categories into specific policy elements (1 policy becomes 100 policies)  A policy begets formal training and training recordkeeping (applications unto themselves) 07/19/09 Copyright 2009 Sarah Cortes 19
  • 20. IT Policies, Standards and Technical Directives Company A Issues  “Required,” “Recommended,” or “Highly Recommended?” (the shell game)  Need to self-assess at the policy element level (a/k/a your new full-time job) 07/19/09 Copyright 2009 Sarah Cortes 20